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AMENDMENTS TO THE CLAIMS 



Claim 1 . (currently amended) A method of controlling access to user-specific 
information for use in connection with a network computing environment including a 
web-services provider providing a web-based software service, said method of 
controlling access to the user-specific information comprising: 

providing a user access to a service provided by the web-services provider, said 
web-services provider maintaining a data store of user-specific information associated 
with the user in connection with the service, said web-services provider maintaining an 
access control list identifying when the user grants a form of access to a client wherein 
the form of access granted to the client is limited to certain user-specific information; 

providing a client access to the service provided the web-services provider, said 
client seeking access to some of the user-specific information maintained in the data 
store; 

obtaining an access request message from the client and directed to the 
software service requesting user-specific information, said request message including 
an access request parameter indicating the client's requested form of access to the 
user-specific information in the data store; 

comparing the access request parameter to an access control list assorted 
with the software service, said access control list identifying whether the user hai; 
granted the form of access requested by the client; 

permitting the client to have access to the requested user-specific information in 
the data store if the user has granted the form of access requested by the client; and 

invoking an access control engine if the user has not previously granted the form 
of access requested by the client, said access control engine: 

determining an intended use by the client of the requested user-specific 

information in the data store; 

comparing the determined intended use by the client with a default access 

control instruction; 

updating the access control list to permit the client to have access to the 
requested user-specific information in the data store if the default access control 
instruction permits the determined Intended use; and 
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transmitting a fault response to the client if the default access control instiuction 
does not permit the determined intended useiand 

wherein the user communicates with the web-services provider via a network 
communication device having a display interface a nd a selection Interface, the method 
further comprising: 

generating an option list in response to the client's request for u ser-specific 
information having at least one entry therein based on the dete rmined intended use_by 
the client of the requested us er-specific information in the data store: 

displaying to the user on the display interface of the network communication 
device an option menu reflecting the generated optio n list, said option menu prompting, 
the user to accept or reject at least one option using the selection interface of the 
network communication device, and said option list ge nerated In response to the.cJierjr§ 
request for user-specific information: 

receiving from the network communication devic e a selection signal indicatjyeof 
whether the user accepted or re jected the at least one option; and 

creating an access control rule based on the rec eived selection signal, sajd 
access control rule defining the extent of ac cess to the r^nftsted user-specific 
information in the data store granted to the client. 

Claim 2. (original) The method of claim 1 wherein comparing the determined intended 
use by the client with the default access control instruction further comprises comparing 
the client's requested form of access to the default access control instruction to 
determine if the default access control instruction permits the requested form of access. 

Claim 3. (original) The method of claim 1 wherein the client's requested form of 
access to the user-specific information in the data store identifies a desired subjuct 
matter to be accessed and a method of accessing the desired subject matter and 
wherein comparing the determined intended use by the client with the default access 
control instruction further comprises: 

determining if the default access control instruction permits the client to at>cess 

the desired subject matter; and 
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determining if the default access control instruction permits the identified method 
of accessing the desired subject matter. 

Claim 4. (canceled) 

Claim 5. (original) The method of claim 4 wherein creating the access control nile 
comprises updating the access control list such that the access control list reflects 
whether the user accepted or rejected the at least one option. 

Claim 6. (original) The method of claim 1 further comprising: 

determining if the client has a local copy of the requested user-specific 

information in the data store before transmitting the access request message; and 
retrieving said local copy of the requested user-specific Information if the local 

copy is available; 

determining if said local copy of the requested user-specific information is 
current; and 

transmitting the access request message only if said local copy of the requested 
user-specific information is not available and not current. 

Claim 7. (original) The method of claim 1 further comprising authenticating a digital 
identity of the user and denying access to the requested user-specific information in the 
data store if the digital identity of the user is not authenticated. 

Claim 8. (original) The method of claim 1 wherein determining the intended us«t by the 
client of the requested user-specific information further comprises obtaining a copy of 
an intentions document associated with the client, said intentions document including a 
field being indicative of the intended use by the client of the requested user-specific 
information. 

Claim 9. (original) The method of claim 1 further comprising: 
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determining if the client has an access subscription right to the requested user- 
specific information in the data store; and 

permitting the client to have access to the requested user-specific information in 
the data store if the client has the access subscription right to the requested user- 
specific information in the data store. 

Claim 10. (original) The method of claim 1 wherein permitting the client to have access 
to the requested user-specific information in the data store if the user has granted the 
form of access requested by the client further comprises: 

permitting the client to read the requested user-specific information in the data 
store; and 

permitting the client to write the requested user-specific information in the data 

store. 

Claim 1 1 . (original) The method of claim 10 wherein permitting the client to read the 
requested user-specific information in the data store comprises accessing said 
requested user-specific information and transmitting a copy of the accessed requested 
user-specific information to the client in a SOAP message. 

Claim 12. (original) The method of claim 10 wherein permitting the client to write the 
requested user-specific information in the data store comprises receiving at the web- 
services provider a SOAP message from the client identifying the requested user- 
specific information and writing the identified requested user-specific information in the 
data store. 

Claim 13. (original) The method of claim 1 wherein updating the access control list to 
permit the client to have access to the requested user-specific information in the data 
store if the default access control instruction permits the determined intended uso 
further comprises: 

updating the access control list to permit the client to read the requested user- 
specific information in the data store; and 



5 

PAGE 9(28 ' RCVD AT 12/5/2005 6:10:23 PM [Eastern Standard Time] ' SVR:USPTO-EFXRF-6J26 * DNIS:2738300 ' CSID:3142314342 * DURATION (mm-ss):07-00 



DEC-05-2005 HON 05:15 PM SENNIGER POWERS 



FAX NO. 3142314342 



P. 



MS#1 80490.01 (4909) 

updating the access control list to permit the client to write the requested user- 
specific information in the data store. 

Claim 14. (original) One or more computer-readable media having computer- 
executable instructions for performing the method recited in claim 1, 

Claim 15. (currently amended) A method of controlling access to user specific 
information for use in a network computer system including a web-services provider, a 
user of a service provided by the web-services provider, and a client of the web- 
services provider, said web-services provider maintaining a data store of user-specific 
information associated with the user, said user-specific information accessible by the 
user and having access by the client controlled by the user, said client seeking access 
to certain of the user-specific information in the data store, said method of controlling 
access to the user-specific information comprising: 

operatively receiving at the web-services provider a request from the client to 
access the certain user-specific information in the data store; 

determining an intended use by the client of the certain user-specific infonnation 
in the data store; 

determining an allowed level of access permitted by tine user; 

comparing the determined intended use with the determined allowed level of 
access; 

invoking a consent engine in response to the cli ent's request if the determined 
intended use is outside the allowed level of access, said c onsent engine informing the 
user of the client's request to access the certain use r-specific information in the data 
store and inviting the user to permit or to deny the client's re quest to access the certain 
user-specific information in the data store: and 

completing the request from the client to access the certain user-specific 
information in the data store when the determined intended use by said client of me 
certain user-specific information is within the determined allowed level of access 
permitted by the user. 
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Claim 16. (previously presented) The method of claim 15 wherein determining the 
intended use by the client of the certain user-specific information in the data storo 
comprises: 

determining a type of information within the certain user-specific information in 
the data store that is being requested by the client; and 

determining a form of access to the certain user-specific information in the data 
store that is being requested by the client. 

Claim 17. (previously presented) The method of claim 16 wherein comparing this 
determined intended use with the determined allowed level of access comprises: 
determining if the user permits access to the type of information within the* 
certain user-specific information in the data store that is being requested by the client; 
and 

determining if the user permits the form of access to the certain user-specific 
information in the data store that is being requested by the client. 

Claim 18. (previously presented) The method of claim 17 further comprising: 

creating an access filter, said access filter defining an extent to which the user 
permits access to the type of information within the certain user-specific information in 
the data store and an extent to which the user permits the form of access to the user- 
specific information in the data store; and 

wherein completing the request from the client to access the certain user- specific 
information in the data store when the determined intended use is within the determined 
allowed level of access further comprises: 

applying the access filter to the certain user-specific information in the data store 
to create a filtered information set; and 

permitting the client to access the filtered information set. 
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Claim 19. (previously presented) The method of claim 15 further comprising denying 
the client access to the requested certain user-specific information in the data store if 
the determined intended use is outside the allowed level of access. 

Claim 20. (canceled) 

Claim 21- (original) One or more computer-readable media having computer- 
executable instructions for performing the method recited in claim 15. 

Claim 22. (currently amended) A user-centric method of controlling access to user 
specific information in a network computing environment, said network computing 
environment including a web-sen/ices provider and a user of a service provided by the 
web-services provider, the web-services provider maintaining a data store of usfc- 
specific information associated with the user, said user-specific information accessible 
by the user and having access by the clients controlled by the user, the user 
communicating with the web-services provider via a network communication device 
having a display interface and a selection interface, said user-centric method of 
controlling access to user-specific information comprising: 
identifying the user; 

identifying a plurality of clients of the web-services provider wherein the user 
desires to grant access to the user-specific information in the data store to certain of the 
plurality of clients; 

identifying a method of access by which the user is willing to allow the ceilain 
clients to access the user-specific information in the data store; 

identifying a level of access to the user-specific information in the data store the 
user desires to impose on the certain clients; 

exposing a menu to the user on the display interface of the network 
communication device t said menu allowing the user to identify t he certain clients, the 
method of access, and the level of access; and 
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transmitting information indicating the iden tified certain clients, the method of 
access, and the level of access to the web-services provide r in a digital message 
format ; and 

writing an access control rule to an access control list associated with said data 
store, said access control rule limiting access to the user-specific information in the 
data store by the certain clients to the identified method of access and the identified 
level of access. 

Claim 23. (previously presented) The method of claim 22 further comprising identifying 
a subscription status, said subscription status indicating whether the user intends the 
certain clients to be notified if the user-specific information in the data store changes. 

Claim 24. (canceled) 

Claim 25. (previously presented) The method of claim 22 wherein identifying th€> 
method of access further comprises Identifying whether the certain clients is pennitted 
to modify the user-specific information in the data store. 

Claim 26. (previously presented) The method of claim 22 wherein identifying th«> level 
of access further comprises grouping the user-specific information in the data store into 
a plurality of information types and identifying which of said plurality of information types 
the certain clients may access. 

Claim 27. (original) The method of claim 22 further comprising: 

authenticating a digital identity of the user prior to writing the access control rule 
to the access control list associated with the data store of user-specific information; and 

writing the access control rule to said access control list only if the digital identity 
of the user is authenticated. 

Claim 28. (original) One or more computer-readable media having computer- 
executable instructions for performing the method recited in claim 22. 
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Claim 29. (currently amended) A system for controlling access to user-specific 
information in a network computing environment, the system comprising: 
a web-services service provider; 

a user of a service of the web-services provider, the web-services provider 
maintaining a data store of user-specific information associated with the user, said 
user-specific information accessible by the user and having access by the client 
controlled by the user, and a set of default access preferences defining a list of default 
access permissions allowed by the user, 

a client of the web-services provider, said client requesting access to certain of 
the user-specific information associated with the user and identifying an intended use 
by the client of the certain user-specific information in the data store;-and 

an access control engine operatively receiving the client request to access the 
certain user-specific information and dynamically creating an access control rule oy 
comparing the set of default access preferences with the intended use by the client, 
said access control rule granting the requested access by the client to the certain user- 
specific information if the intended use of the client of the certain user-specific 
information is within the list of default access permissions defined by the set of default 
access preferences allowed by the use r; and 

a consent eno ine generating an option list in response to the client's requ&stfor 
user-specific Information having at least one entry therein based on the intended use_by 
the client of the user-specific information in the data store, said consent engine 
displaying on the display interface of the network comm unication device an option 
menu reflecting the generated option list, said op tion menu prompting the user to 
accept or reject at least one option displayed on the option menu using the selection 
interface of the network communication device . 

Claim 30. (original) The system of claim 29 further comprising a network 
communication device having a display interface and a selection menu and wherein the 
user communicates with the web-services provider via the network communication 
device. 
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Claim 31 . (canceled) 

Claim 32. (original) The system of claim 31 wherein the network communication 
device generates a selection signal indicative of whether the user accepted or rejected 
the at least one option displayed on the option menu. 

Claim 33. (original) The system of claim 31 wherein the consent engine provider a 
consent signal having a parameter indicative of whether the user accepted or rejected 
the at least one option and wherein the access control engine receives the consent 
signal, said access control engine granting the requested access if the consent signal 
indicates that the user accepted the at least one option. 

Claim 34. (original) The system of claim 33 wherein the access control engine denies 
the requested access if the consent signal indicates that the user rejected the at least 
one option. 

Claim 35. (original) The system of claim 29 further comprising an authentication 
engine authenticating a digital identity of the user and wherein the access control 
engine denies the requested access if the digital identity of the user is not authenticated 
by the authentication engine. 

Claim 36. (original) The system of daim 29 further comprising a client intentions 
document identifying the intended use by the client of the user-specific information in 
the data store. 

Claim 37. (original) The system of claim 36 further comprising: 

a network communication device having a display interface and a selection menu 
and wherein the user communicates with the web-services provider via the network 
communication device; and 
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a consent engine retrieving the client intentions document and generating an 
option list having at least one entry therein based on the intended use identified in the 
intentions document, said consent engine displaying on the display interface of the 
network communication device an option menu reflecting the generated option list, said 
option menu prompting the user to accept or reject at least one option displayed on the 
option menu using the selection interface of the network communication device. 

Claim 38. (currently amended) A system for controlling access to a data store ol user- 
specific information in a network computing environment being accessed by a chont and 
a user, the system comprising: 

a web-services system providing a software service to the user, said web- 
services system maintaining the data store of user-specific information in connection 
with the software service, said user-specific information accessible by the user and 
having access by the client controlled by the user; 

a data store of default access preferences, said default access preferences 
defining a list of predetermined access permissions allowed by the user with respect to 
the data store of user-specific information, the client desiring access to certain of the 
user-specific information and transmitting an access request message having a 
parameter indicative of a desired form of access to the data store of user-specific 
information; 

an access control interface associated with the web-services system, said 
access control interface receiving the access request message and comparing the 
desired form of access to an access control list associated with the software service, 
said access control list identifying whether the user has granted the requested form of 
access requested by the client; an4 
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an access control engine determining an intended use by the client of the user- 
specific information in the data store of user-specific information, said access control 
engine also determining a default access preference defining a list of default access 
permissions to the data store of user-specific information that the user has allowed, the 
access control engine comparing the determined intended use and the default access 
permissions and dynamically creating an access control rule granting the desired 
access of the client if the intended use is permitted by the default access permissions; 
and 

a consent engine generating an option list in response to the clien t's request 
having at least one entry therein based on the intended use bv the client of the_uae& 
specific information in the data store, said consent engine dis playing on the display 
interface of the network communication device an option menu reflect ing the generated 
option list, said option menu prompting the user to accep t or reject at least one option 
displayed on the option menu using the selection interface of the network 
communication device. 

Claim 39. (original) The system of claim 38 wherein the access control interface 
comprises a service-side fabric associated with the software service provided by the 
web-services system. 

Claim 40. (currently amended) A method of controlling access to user specific 
information by a third party in a network computing environment, said network 
computing environment including a web-services provider, a user of a service provided 
by the web-services provider, the web-services provider maintaining a data store of 
user-specific information associated with the user, said user-specific information 
accessible by the user and having access by the third party controlled by the usor, the 
third party in digital communication with the web-services provider, the third party 
desiring access to certain of the user-specific information in the data store, and Hie user 
communicating with the web-services provider via a network communication device 
having a display interface and a selection interface, said method of controlling access 
to user-specific information by the third party comprising: 
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obtaining at the web-services provider a digital request message from the third 
party desiring access to the certain user-specific information in the data store; 

determining an intended purpose of the third party for accessing the certain user- 
specific information in the data store; 

generating an option list in response to the third party's request for user-s pecific 
information having at least one entry therein based on the determined intended purpose 
of the third party for accessing the certain user-specific information in the data store; 

displaying to the user on the display interface of the network communication 
device an option menu reflecting the generated option list, said option menu prompting 
the user to accept or reject at least one option using the selection interface of the 
network communication device; 

receiving from the network communication device a selection signal indicative of 
whether the user accepted or rejected the at least one option; and 

creating an access control rule based on the received selection signal, said 
access control rule defining an extent of access to the certain user-specific infomiation 
in the data store granted to the third party. 

Claim 41- (original) One or more computer-readable media having computer- 
executable instructions for performing the method recited in claim 40. 

Claim 42. (currently amended) A method of providing and selecting from a menu 
displayed on a display interface in a network computing environment, said network 
computing environment including a web-services provider, a user of a service provided 
by the web-services provider, the web-services provider maintaining a data store of 
user-specific information associated with the user, said user-specific information 
accessible by the user and having access by a third party controlled by the user, the 
third party in digital communication with the web-services provider, and the third party 
desiring access to certain of the user-specific information in the data store, the user 
communicating with the web-services provider via a network communication device 
having the display interface and a user selection interface, said method comprising: 
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retrieving an intentions document associated with the third party desiring access 
to the certain user-specific information in the data store, said intentions document 
identifying: 

a purpose for which the third party desires access to the certain user-specific 
information in the data store; 

a value proposition associated with the purpose for which the third party dosires 
access to the certain user-specific information in the data store; and 

a method by which the third party proposes to access the certain user-spocific 
information in the data store; 

generating a set of menu entries in response to the third pa rty's proposal, said 
menu entries identifying: 

an identity of the third party; 

the certain user-specific information in the data store to which the third party 
desires access; 

the purpose for which the third party desires access to the certain user-spocific 
information in the data store; 

the value proposition associated with the purpose for which the third party 
desires access to the certain user-specific information in the data store; 

the method by which the third party proposes to access the certain user-specific 
information in the data store; 

displaying the menu entries on the menu on the display interface of the network 
communication device; 

prompting the user to authorize or deny the third party to access the certain user- 
specific information in the data store; and 

operatively receiving a selection signal being indicative of whether the usor 
authorized or denied the third party to access the certain user-specific information in the 
data store, and creating an access control rule indicative of whether the user authorized 
the third party to access the certain user-specific information in the data store. 

Claim 43. (original) One or more computer-readable media having computer- 
executable instructions for performing the method recited in claim 42. 

15 

PAGE 19/28 1 RCVD AT 12/5/2005 6:10:23 PM [Eastern Standard Time] * SVR:USPT0-ff XRF-6/26 * DN1S:2738300 1 CSID:3142314342 * DURATION (mm-ss):07«00 



DEC-05-2005 HON 05:18 PM SENNIGER POWERS 



FAX NO. 3142314342 



P. 



MS#1 80490.01 (49K9) 



Claim 44. (currently amended) An access control engine for use in a network 
computing environment including a web-services provider providing a software s€.rvice, 
a user of the software service provided by the web-services provider, and a client, said 
web-services provider maintaining a data store of user-specific information in 
connection with the software service, said user-specific information accessible by the 
user and having access by the client controlled by the user, an access control list 
associated with the data store of user-specific information identifying existing access 
permissions to the data store of user-specific information, said web-services provider 
also maintaining a data store of user-specific default access preferences, and said 
client desiring access to the data store of user-specific information and transmitting an 
access request message to the web-services provider, the access control engine 
comprising: 

schema for receiving and parsing the access request message, said schema 
identifying an intended use by the client of the user-specific information in the daia 
store; 

a validation engine, said validation engine determining if the existing access 
permissions identified in the access control list permit the client to access the data store 
of user-specific information for said identified intended use; an4 

a policy engine being invoked if the existing access permissions identified in the 
access control list do not permit the client to access the data store of user-specific 
information for the identified intended use, said policy engine dynamically detemiining 
an access control rule by comparing the user-specific default access preferences with 
said identified Intended use, said validation engine writing said access control rule to 
the access control lis t: and 
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wherein the access control engine accesses a consent eng ine generating an 
option list in response to the client's reouest for user-specific informa tion having tit least 
one entry therein based on the intended use bv the client of the user-specific 
information in the data store, said consent engine displaying on th e display interface of 
the network communication device an option menu reflecting the genera ted option list. 
said option menu promoting the user to accept or reject at least one option dlsplaved_on 
t[ie option menu using the selection interface of the network communication dev uie. 

Claim 45. (original) The access control engine of claim 44 wherein the schema lor 
receiving and parsing the access request message further identifies a method by which 
the client desires to access the user-specific Information in the data store. 

Claim 46. (original) The access control engine of claim 45 wherein the validation 
engine determines if the existing access permissions identified in the access control list 
permit the client to access the data store of user-specific information using the identified 
method by which the client desires to access the user-specific information in the data 
store. 
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